Commentary

Does Tracking Lead To Hacking? Study Scores Email Practice

It may be an understatement to say “the simple act of viewing emails contains privacy pitfalls.” But that’s the main theme of “I never signed up for this! Privacy
implications of email tracking,” a research paper delivered at the Federal Trade Commission’s PrivacyCon 2018 this week.

The authors — Steven Englehardt and Arvind
Narayanan — put tracking, a widely used email marketing tool, under a harsh light. And they tie it to the spread of personally identifiable information (PII).

For this
research, the writers identified “a network of hundreds of third parties that track email recipients via methods such as embedded pixels.”

The problem is that “about 30% of
emails leak the recipient's email address to one or more of these third parties when they are viewed.”

These leaks are intentional in most cases, and “further leaks occur if the
recipient clicks links in emails,” the authors continue.

advertisement

advertisement

“This is of concern not only because can learn the recipient’s IP address, when emails were opened, and so on, but
also because these third parties are by and large the same ones that are involved in web tracking,” they warn.

And they add: “This means that trackers can connect email addresses
to browsing histories and profiles, which leads to further privacy breaches such as cross-device tracking and linking of online and offline activities.”

To get technical about it, they
explain that “email tracking is possible because more graphical email clients allow rendering a subset of HTML JavaScript is invariable stripped, but embedded images and stylesheets are
allowed.”

To continue: “these are downloaded an rendered by the email client when the user views the email (unless they are proxied by the user’s email server; of the
providers we studied, only Gmail and Yandex do so).

We agree with some of what this trio say: it’s a clear violation to track — or do much of anything — if these are not
permission-based subscriber lists. But do they mean to say that cross-device tracking — a measurement and attribution tool — is a privacy violation?

It probably is under General
Data Protection Regulation — that is, when it occurs without notification and transparency. And the FTC may see it the same way.

The authors note that “email began as a
non-interactive protocol for sending simple textual messages.” But they add that “modern email clients support much of the functionality of the web, and the explosion of third-party web
tracking has also extended to emails, especially mailing lists.”

Yet “nearly 91% of URLs containing leaks of emails are sent in plaintext.”

The purpose of this report
is not to help companies, but to warn the public of this purported violation. And it includes the government as a possible violator.

“The NSA is known to piggyback on advertising cookies
for surveillance, and our work suggests one way in which a surveillance agency might attach identities to web activity records,” it states.

But doesn’t hashing work to
protect passwords and email addresses? No.

“Hashing of PII, including emails, is not a meaningful privacy protection,” the research team states. “This is folk knowledge in
the security community, but bears repeating.”

What’s the flaw in hashing? When user records in a database are keyed by hashed email address, looking up the record for a given email
address is trivial: simply hash it first and look it up (indeed, this is the whole point of storing hashed email addresses at all).”

In addition, “data associated with a hash of an
unknown email address is also likely to be recoverable.”

In the future, the authors want to zero in on mailing list managers.

“It would be helpful to better understand the
relationship between email senders and mailing list managers (such as Constant Contact). To what extent is email tracking driven by senders versus mailing list managers? When a sender sets up a
marketing campaign with a mailing list manager, is the tracking disclosed to the sender?”